Out-Law News 2 min. read

Privacy Shield 2.0: EU-US Data Privacy Framework adopted

The European Commission has formally endorsed the EU-US Data Privacy Framework (DPF) in a move designed to support trans-Atlantic data flows.

The DPF is a package of measures designed to govern how personal data is protected when transferred from the EU to the US by businesses that self-certify to the framework. Initially at least, self-certification to the DPF privacy principles is only open to organisations regulated by the US Federal Trade Commission and US Department of Transportation. This notably excludes US financial services institutions and telecommunication companies from certifying. Annual re-certification is required.

The development of the framework reflects the fact that EU data protection laws place strict requirements on the transfer of personal data outside of the European Economic Area (EEA).

In its so-called ‘adequacy’ decision (137-page / 2.1MB PDF) on Monday, the European Commission said it considers that level of protection for personal data exported under the DPF would be “essentially equivalent” to the protection the data would benefit from under the EU General Data Protection Regulation (GDPR) – the standard that needs to be met before an adequacy decision can be adopted.

The DPF represents the latest attempt by EU and US officials to provide a lasting framework that facilitates EU-US data flows in a way that complies with the requirements of EU law. The Court of Justice of the EU (CJEU) invalidated the EU-US Safe Harbor regime in 2015 and its successor, the EU-US Privacy Shield, in 2020. Central to the CJEU’s judgments were concerns that the respective frameworks failed to adequately safeguard EU citizens’ data when considered in the light of the powers US authorities had to access the data.

The Commission has said the DPF “introduces new binding safeguards to address all the concerns raised” by the CJEU, highlighting in particular that US intelligence agencies’ access to EU data would be limited to what is necessary and proportionate, and that EU citizens would be able to raise complaints before a new Data Protection Review Court (DPRC) established in the US.

Noyb, the group that led the legal challenge to the Privacy Shield and whose chair, Max Schrems, was behind the complaint concerning the Safe Harbor regime, said the DPF – dubbed ‘Privacy Shield 2.0’ – “is largely a copy of the failed ‘Privacy Shield’” and that fundamental reform to US surveillance legislation is needed to address the issues the CJEU found. Schrems said noyb is likely to lodge a legal challenge against the DPF before the CJEU by early 2024.

The Commission’s adoption of its adequacy decision came after EU member states issued a position opinion in respect of the DPF last week. It also follows a recent announcement by US officials that the US had implemented all of the commitments made by US president Joe Biden in his executive order of last year pertaining to the DPF – both MEPs and EU data protection authorities that had scrutinised the framework had said it was essential there was implementation of those commitments prior to adoption of the adequacy decision by the Commission.

In its statement, the Commission said: “US companies can certify their participation in the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations. This could include, for example, privacy principles such as purpose limitation, data minimisation and data retention, as well as specific obligations concerning data security and the sharing of data with third parties.”

“The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements. Compliance by US companies with their obligations under the EU-US Data Privacy Framework will be enforced by the US Federal Trade Commission,” it said.

Data protection law expert Rosie Nance of Pinsent Masons said: “News of the new framework will be welcome for organisations looking to transfer data to the US. Following the Irish Data Protection Commission’s recent decision in respect of Meta’s transfers to the US, there has been uncertainty around what supplementary measures could realistically be relied on when using data transfer mechanisms like standard contractual clauses. The Data Privacy Framework is now available for eligible organisations. It is also likely to be helpful for compliance for transfers to recipients who are not eligible to certify under the DPF, or who have not signed up for any other reason.”

“For transfers reliant on standard contractual clauses or other ‘appropriate safeguards’, the commitments under the executive order may help organisations to demonstrate that the data they have transferred will receive ‘essentially equivalent’ protection when carrying out their data transfer impact assessments,” she said.

Last month, the UK and US governments announced that they had reached an agreement in principle over the establishment of a new legal framework for facilitating the transfer of personal data from the UK to the US. The new “data bridge” would operate as an extension of the EU-US Data Privacy Framework.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.